Untangling GDPR – an opportunity or a challenge for payment industry players?

Since 2016, the General Data Protection Regulation (GDPR) was imposed on companies and organisations to protect user data better. However, like any regulation, this brought consequences for the companies. The implementation of GDPR started with the IS and IT departments, which had to adapt processes and train their teams to protect data for all stakeholders (employees, customers, or even partners, suppliers, service providers). 

GDPR, in the spotlight 

In May 2018 the GDPR took over the scene, and European companies – like all structures generating and managing personal data – had to comply with the law. For some organisations, the implementation of the new regulation was challenging. Yet, for others, it didn’t change anything. In France, the CNIL (Commission Nationale de l'Informatique et des Libertés) imposed a clear framework in the application of directives that relates to confidential data within personal life. 

This new constraint is still valued by large companies, who are pleased to have a global legislation. For SMEs (small and medium-sized enterprises), it is not always easy to know how to comply with GDPR while managing their daily tasks. Therefore, is GDPR an opportunity or an impasse for merchants? The regulation has had significant consequences on the way European businesses work, and it also impacts retailers in North America who sell goods online into Europe. This raises questions about whether this will be a boon or burden for these companies. 

360° vigilance 

GDPR is a huge opportunity for ecommerce businesses to keep up with recent trends because it will likely have an impact on the data businesses are collecting and how they use it. GDPR is also going to be challenging for companies in Europe and worldwide, as there is no consideration of international law or data sovereignty. A major change under GDPR involves getting explicit consent from customers before processing their personal information or using profiling or automated decision-making processes on them. 

As a consequence, GDPR has become a constant preoccupation for IT departments. It is essential to act with a maximum of pragmatism due to the high number of constraints in the daily life of a company. 

Unfortunately, many SMEs do not have in-house resources to provide employees, being fully dedicated to compliance. If some were already very experienced in the confidentiality of sensitive data due to their own activity, such as payment stakeholders widely familiarised about sensitive data, the impact of regulation was nevertheless significant since the GDPR processes sensitive data, regardless of the origin of their source. 

Therefore, the GDPR has added some complex processes to the treatment of the large amount of data that is generally found in a company. Consequently, it doesn’t come as a surprise that payment operators, who handle banking data in addition to other personal information, have to spend many hours with their IT, legal, HR, finance, and marketing team to ensure that sensitive data is treated as it should – in accordance with the regulations. 

Beyond the GDPR 

There are other standards for managing personal data. Payment providers, through their activities, are required to deal with highly sensitive information – bank card IDs, for instance. Besides, these companies are subject to a very strict standard, the PCI DSS standard, requiring certification renewal each year. 

Moreover, the standard requires implementing many processes to ensure specific payment data security, such as treatment, storage, or access to a bank account. Without these procedures, it is impossible to connect to a bank card or to a server room. 

DPO and DLP to the rescue 

The extremely secure world of PCI DSS is not the same as GDPR. The impact of data privacy is a much broader topic than sensitive data. 

The appointment of a DPO (Data Protection Officer) allows having a referent on the subject. With legal expertise, he is the guarantor of knowledge when it comes to all the data about the company's activity, from HR-related to daily activities-related information, their control, their proper treatment, processes set up, and so on. 

The DPO will be the key to implementing the logic of DLP (Data Loss Prevention), which is not insignificant. This is to allow the detection of the slightest flaw or attempted illicit access to all personal data – a market that is expected, according to recent statistics, to explode in the coming years. The DPO will also play a major role in the elaboration and implementation of an SOP (Standard Operation Procedures), which is essential for any company to comply with GDPR, as well as being able to demonstrate compliance at all times. 

Specifically, the DLP is a set of techniques and tools that connect to various digital communication channels ranging from emails to digital printers. Thanks to a monitoring system, in the event of abnormal activity, an alert is immediately sent to the teams in charge. 

How to leverage customer data within the guidelines of GDPR? 

GDPR states that ‘individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered’. If businesses are not transparent in their use of customer data, they risk heavy fines. Following the latest statistics, there have been over EUR 359 million in major GDPR fines so far, as nearly 8 out of 10 US companies took steps to comply with the GDPR, and 27% of companies spent over half a million dollars to become GDPR compliant. 

There are three main approaches to GDPR compliance: the first is not using customer data at all. The second approach would be to anonymise personal information, which can only be done in some cases, and it often leads to loss of useful insights into customers' preferences. The third solution is leveraging user-generated content (UGC), such as posts on social media platforms or reviews on retailer sites, by storing them along with a tokenized identifier that cannot be traced back to an individual's identity without consent from the user. This way, the company keeps up with trends and provides valuable recommendations for products based on what other people have bought before – without violating GDPR guidelines. 

Representing a real challenge for IT departments, GDPR compliance requires both technical and human resources. To be effective, the protection of personal data must, however, go into a broader framework for strategy and corporate culture. 

About Olivier Berthelier 

Olivier is co-founder and CTO of Limonetik. Before this, he was in charge of the R&D and Merchant Division. His global understanding of customer needs, web technologies, and payment market brings him a prospective and strategic view to define the future of the full-service solution. As an engineer, he started his career at Tikit Spain, LECSOFT, and Priceminister. 

About Limonetik – a Thunes Company 

Limonetik is a full-service payment aggregator that offers, via a unique API connection, acceptance of more than 285 international payment methods and advanced services – from collection and settlement management to reconciliation and account management – to enable new payment experiences (marketplaces, omnichannel model). After the announcement of the acquisition by Thunes, the solution will be known as Thunes Collections.